Description of Windows service wrappers

What is a service wrapper ?

For a service to operate it has to present a certain interface to the operating system,
f.ex. so the service can be stopped and started. The implementation of this interface is
very similar for many services, so to minimize the size and complexity of the actual
service it is placed inside a service wrapper. The service wrapper also saves resources
by only using a single proces to have several services running.
When having problems with a service wrapper, then it is usually caused by one or more
of the services running within the context of the service wrapper.

Which service wrappers exist ?

Some of the common service wrappers, which can be seen in the Task Manager:

Why does the service wrappers request access to the Internet ?

When a service inside a service wrapper needs to access the network, then has to
go through the service wrapper, so the service wrapper becomes the one trying to get access.
Therefore one should be careful before using a firewall to block network access for a service wrapper.
Usually one can see what service that wants access, by looking at the port number:

Note if using a software firewall and gives access for a service wrapper, then it means
that all services within the service wrapper is given access, unless specifying a rule
where only a certain port number is allowed for the service wrapper.

Note to see the processes along with the port numbers used:

WinXP (Will show open ports and the process-id they belong to)

netstat -ano

Note to convert the process-id to a process-name use TList/Tasklist (See below), and if the process
is a service wrapper then one can also see the services running within the service wrapper.

WinXP SP2 (Will show open ports and the process-name and component they belong to)

netstat -b

CurrPorts by Nirsoft is a GUI version of netstat that works with WinNT/2k/XP

Why is Svchost.exe listed several times in the task list ?

This is because Svchost.exe can load different groups of services,
depending of the different user priviledges needed for a certain group or for
isolating critical services for increased stability and ease of debugging.

To see the different groups of which Svchost uses go here with a registry editor (REG_MULTI_SZ):

Note it is possible to create a new group, and move a service started with Svchost into this
group. This can be useful to diagnose which in a group of services is causing unwanted behavior like high CPU / RAM usage.

Find the group that contains the service to investigate (ex. netsvcs)

Create a new group by adding another REG_MULTI_SZ value (ex. netsvcs2)

If there exists a sub-key with the name as the group (ex. netsvcs), then make a copy of the sub-key and give it the new name (ex. netsvcs2)

Edit the REG_MULTI_SZ for the new group (ex. netsvcs2) and add the service to investigate (ex. wuauserv)

Edit the REG_MULTI_SZ for the original group (ex. netsvcs) and remove the service (ex. wuauserv)

What could cause a service wrapper to crash ?

If a single service running within the service wrapper performs a faulty operation, then it is possible
for that single service to take down the whole service wrapper along with all other services
running within the service wrapper. This can be experienced when open to these exploits:

Why is the service wrapper using 100 percent of the CPU ?

This is not normal behavior and is usually caused by a malfunctioning service running inside the service wrapper. To diagnose what service is causing the trouble:

Look in the Event Log for error messages, and if error messages are present then use them as starting point.

If no error messages then one can try to use the Windows Task Manager to find the service-wrapper causing the trouble, and then use the technique described above for discovering what services resides inside the service-wrapper.

Some trojans, spyware, malware software tries to hide themselves by using executable name of a service wrapper. Make sure the system is not infected.

If no clear evidence of what service is causing the trouble, try to close down each service in the service wrapper one by one and see when the problem goes away (be careful with critical services). Another way is to move each service out in its own service wrapper by using the method described above.

These services are usually causing trouble for people:

System Restore Service can fail when trying to create a restore point, which leads to high CPU usage. The solution is usually to clear all restore points.

Microsoft uses all these wrappers to hide what they are doing as windows calls home every other second and it makes it just about impossible to see what is going on inside windows.

Windows bloatware (win8=1000 X more memory needed than XP) does not include many .exe programs but who needs them when you have host processes to run 5000 plus .dll's and lets throw in the windows registry that no uses GUID linked to dll files that has over 400,000 keys (Yes I ran code to count them) and it is not to hard to see why windows has become a monster that few people understand and that includes me even after 20 year of working with windows.

Run netstat -n -a -o from a command window to see the amount of ports locked up by windows and developers should also know that windows lies when asked for a list of locked files using windows API's and the sameis also try when asking for a process list.

Developers now rely on calling windows .Net framework or ATL from C++ so much that few realy know what is going and its like saying that you are a top chef when all you are doing is buying tinned food from the local shop and serving it up. If the tin says it contains no sugar then thats the end of the argument so far as many are concerned.

Just how big does the registry need to be or how many services/ processes / drivers and triggers inside schedules task do we need before people start to see that this is not good pratice, good code and will stop allowing microsoft "Experts" to keep pulling the wool over peoples eyes.

Try finding and then deleting those hidden Index.dat files in windows to see that your machine is now little more than a remote terminal for windows.